-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mTLS clusters for e2e testing #11092
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with two minor comments but nothing blocking.
@@ -45,7 +45,7 @@ resource "aws_security_group" "primary" { | |||
# Consul | |||
ingress { | |||
from_port = 8500 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be changed also to 8501
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unlike Nomad, Consul uses separate ports for HTTP vs HTTPs, and convention is to use 8500 for plaintext and 8501 for TLS. As TLS is optional, I exposed both ports. Will add a comment.
e2e/terraform/tls_ca.tf
Outdated
resource "tls_private_key" "ca" { | ||
algorithm = "ECDSA" | ||
ecdsa_curve = "P384" | ||
} | ||
|
||
resource "tls_self_signed_cert" "ca" { | ||
key_algorithm = "ECDSA" | ||
private_key_pem = tls_private_key.ca.private_key_pem | ||
|
||
subject { | ||
common_name = "${local.random_name} Nomad E2E Cluster" | ||
organization = local.random_name | ||
} | ||
|
||
validity_period_hours = 720 | ||
|
||
is_ca_certificate = true | ||
allowed_uses = ["cert_signing"] | ||
} | ||
|
||
resource "local_file" "ca_key" { | ||
filename = "keys/tls_ca.key" | ||
content = tls_private_key.ca.private_key_pem | ||
} | ||
|
||
resource "local_file" "ca_cert" { | ||
filename = "keys/tls_ca.crt" | ||
content = tls_self_signed_cert.ca.cert_pem | ||
} | ||
|
||
resource "tls_private_key" "api_client" { | ||
algorithm = "ECDSA" | ||
ecdsa_curve = "P384" | ||
} | ||
|
||
resource "tls_cert_request" "api_client" { | ||
key_algorithm = "ECDSA" | ||
private_key_pem = tls_private_key.api_client.private_key_pem | ||
|
||
subject { | ||
common_name = "${local.random_name} api client" | ||
} | ||
} | ||
|
||
resource "tls_locally_signed_cert" "api_client" { | ||
cert_request_pem = tls_cert_request.api_client.cert_request_pem | ||
ca_key_algorithm = tls_private_key.ca.algorithm | ||
ca_private_key_pem = tls_private_key.ca.private_key_pem | ||
ca_cert_pem = tls_self_signed_cert.ca.cert_pem | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we run terraform fmt
on this file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. - I expected make hclfmt
to format all terraform files as well. I will format the files here, then format the rest of files in a follow up PR.
@@ -2,7 +2,7 @@ | |||
|
|||
set -o errexit | |||
set -o nounset | |||
set +x | |||
set -x |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accidental change while debugging - will change back.
and minor tweaks
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
This allows us to spin up e2e clusters with mTLS configured for all HashiCorp services, i.e. Nomad, Consul, and Vault. Used it for testing #11089 .
mTLS is disabled by default. I have not updated Windows provisioning scripts yet - Windows also lacks ACL support from before. I intend to follow up for them in another round.